On paper, building an AI governance framework looks manageable. In practice, Polish financial institutions face a collision of three overlapping regulatory regimes – the EU AI Act, the Digital Operational Resilience Act (DORA), and the Ogólne Rozporządzenie o Ochronie Danych (General Data Protection Regulation, GDPR) – each with its own deadlines, thresholds, and enforcement bodies. Missing any one of them forfeits the institution's ability to deploy AI systems lawfully and may trigger personal liability for management board members.

Polish financial institutions deploying AI systems must comply with the EU AI Act's prohibited-use bans (effective August 2024) and high-risk AI obligations (phasing in through August 2026), while simultaneously meeting DORA's ICT risk-management requirements enforced by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF). Institutions that also process personal data through AI pipelines must satisfy GDPR obligations overseen by the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO). Failure to align all three frameworks before the August 2026 deadline precludes lawful deployment of high-risk AI systems and exposes the institution to fines reaching EUR 30 million or 6 percent of global annual turnover.

This alert covers three questions: what has changed in the regulatory environment, which institutions are affected and at what thresholds, and what immediate action items management boards should place on their compliance calendars now.

What has changed in the AI regulatory environment?

The EU AI Act entered into force in August 2024. It introduced a tiered risk classification that directly affects every Polish bank, insurer, and investment firm using automated decision-making. The first tier – prohibited AI practices – became enforceable in February 2025. These include social scoring by public authorities and real-time biometric identification in public spaces. Any institution using such systems must have decommissioned them already.

The second tier covers high-risk AI systems. Credit scoring models, fraud-detection engines, and insurance underwriting tools all fall into this category under the AI Act's financial-services annex. Obligations for these systems – conformity assessments, technical documentation, human-oversight mechanisms, and registration in the EU database – apply from August 2026. That leaves institutions roughly 18 months to complete full compliance cycles. (Eighteen months sounds generous; it is not, given the documentation requirements alone.)

DORA added a parallel layer. It requires financial entities to treat AI-powered ICT tools as third-party ICT service dependencies. Contractual arrangements with AI vendors must now include provisions on auditability, incident reporting within 4 hours of a major ICT incident, and business-continuity testing. The KNF supervises DORA compliance for Polish-licensed entities and has signalled supervisory reviews beginning in the first half of 2026.

GDPR obligations did not change, but their intersection with AI intensified. Automated decisions with legal or similarly significant effects require a lawful basis, transparency notices, and – in most cases – a data protection impact assessment (DPIA). The UODO has published guidance indicating that AI-driven credit decisions and behavioural profiling trigger mandatory DPIA obligations.

Which institutions are affected and at what thresholds?

Scope is broader than many compliance teams assume. The AI Act applies to any entity placing an AI system on the EU market or putting it into service within the EU. For Polish financial institutions, this means banks licensed under the Banking Law, payment institutions supervised by the KNF, insurance undertakings, investment firms, and credit intermediaries – regardless of whether the AI system is built in-house or procured from a third-party vendor.

We secured a compliance gap analysis and remediation plan for a regional bank in the Mazowieckie region (spring 2025), identifying 14 AI-powered tools that required reclassification as high-risk under the AI Act's financial-services annex. The institution had previously treated all of them as general-purpose software.

Three threshold questions determine the intensity of obligations:

  • Is the AI system used for credit scoring, insurance risk assessment, or fraud detection? If yes, it is high-risk under the AI Act.
  • Does the system process personal data to produce decisions with legal or significant effects? If yes, a GDPR DPIA is mandatory.
  • Is the AI vendor an ICT third-party service provider under DORA? If yes, contractual and audit obligations apply immediately.

General-purpose AI models (GPAIs) used internally – for document summarisation or contract review, for example – fall under lighter obligations unless they are integrated into a high-risk application. The distinction matters: a GPAI used to draft client communications is low-risk; the same model feeding outputs into an automated credit decision is high-risk. Institutions must map every use case, not just the headline applications.

For data-transfer questions arising from AI systems that route personal data outside the European Economic Area – to cloud providers in Switzerland or elsewhere – the applicable transfer mechanisms are addressed in our analysis of data transfer from Poland to Switzerland.

What immediate action items should boards prioritise?

The August 2026 deadline for high-risk AI compliance is the anchor point, but several obligations are already live. Boards that wait for a single deadline will find themselves managing simultaneous conformity assessments, DORA contract renegotiations, and GDPR remediation – an operationally unmanageable position.

Our team obtained a full DORA-aligned vendor contract suite for a fintech subsidiary in Lower Silesia (autumn 2025), reducing the institution's contractual remediation timeline from an estimated nine months to under four. Early engagement with vendors is the single highest-leverage action available now.

The priority action list for management boards:

  • Complete an AI inventory and risk classification by April 2026 – map every AI system against the AI Act's risk tiers.
  • Initiate DPIAs for all high-risk AI applications processing personal data – the UODO expects these to be completed before deployment, not after.
  • Audit ICT vendor contracts for DORA compliance – insert auditability clauses and the 4-hour incident-reporting obligation where missing.
  • Assign a named AI governance owner at board level – the AI Act's human-oversight requirement implies documented accountability.
  • Register high-risk AI systems in the EU AI database before August 2026 – late registration is itself a compliance breach.

Tax structuring for AI-related R&D expenditure – including IP Box regimes applicable to qualifying AI development – is a separate but related question addressed in our Polish tax practice. Institutions investing in proprietary AI development should assess whether qualifying IP income can be taxed at the reduced 5 percent CIT rate.

For institutions with cross-border IP considerations – particularly those licensing AI models or datasets from or to entities in other jurisdictions – the interaction between AI governance and intellectual property protection is examined in our guide on IP protection strategy for tech companies in Poland.

The complexity of aligning AI Act, DORA, and GDPR obligations simultaneously is not theoretical. Each framework has its own enforcement authority – the KNF for DORA, the UODO for GDPR, and a yet-to-be-designated national AI supervisory authority for the AI Act – meaning three separate inspection regimes may assess the same AI system from different angles. Boards that treat AI governance as a single project rather than a multi-regulator compliance programme will face gaps that are difficult to close after an inspection begins.

Specific situations require tailored assessment. Contact info@kordeckipartners.com to receive an expert review of your institution's AI governance position.

For a tailored strategy on AI Act compliance, DORA vendor contracts, or GDPR impact assessments for AI systems, reach out to info@kordeckipartners.com. Our team will identify the highest-risk gaps in your current framework and provide a prioritised remediation roadmap.

Frequently asked questions

Q: Does the AI Act apply to AI systems we procure from vendors, or only to systems we build ourselves?

A: The AI Act applies to both deployers and providers. A Polish bank that procures a credit-scoring model from a third-party vendor and deploys it in its underwriting process is a "deployer" under the AI Act and carries its own set of obligations – including human oversight, monitoring, and record-keeping. The vendor's obligations as "provider" do not substitute for the deployer's responsibilities. Both parties must comply, and contracts should clearly allocate each obligation.

Q: How long does a DPIA for an AI-driven credit decision system typically take?

A: A well-structured DPIA for a high-risk AI application in a financial institution typically requires 6 to 10 weeks, depending on the complexity of data flows and the number of vendors involved. The UODO expects the DPIA to be completed before the system processes live personal data. Institutions that begin the DPIA process after go-live are already in breach. Budget for at least two rounds of internal review and, where the DPIA identifies a high residual risk, prior consultation with the UODO adds a further 8 weeks.

Q: Is there a connection between AI governance and trademark or IP protection for AI-generated outputs?

A: Yes. AI-generated content – including outputs from systems used in client communications, marketing, or product design – raises IP ownership questions that Polish law does not yet resolve definitively. An IP lawyer in Warsaw advising on AI governance should assess whether AI-generated outputs qualify for copyright or trademark protection, and who holds any resulting rights. This is particularly relevant for institutions developing proprietary AI tools, where protecting the underlying model and its outputs is a distinct legal exercise from regulatory compliance.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to AI regulation, DORA compliance, and technology governance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.